Skip to content

Commit b1b5de4

Browse files
Devika-GLDevika-GL
committed
AC-10528:Fix for Order Invoice Comment
1 parent 0d0c94c commit b1b5de4

File tree

3 files changed

+133
-19
lines changed

3 files changed

+133
-19
lines changed

app/code/Magento/Sales/view/adminhtml/templates/order/comments/view.phtml

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,14 @@
55
*/
66

77
/** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */
8+
/** @var \Magento\Framework\Escaper $escaper */
89
?>
910
<?php if ($_entity = $block->getEntity()): ?>
1011
<div id="comments_block" class="edit-order-comments">
1112
<div class="order-history-block">
1213
<div class="admin__field field-row">
1314
<label class="admin__field-label"
14-
for="history_comment"><?= $block->escapeHtml(__('Comment Text')) ?></label>
15+
for="history_comment"><?= $escaper->escapeHtml(__('Comment Text')) ?></label>
1516
<div class="admin__field-control">
1617
<textarea name="comment[comment]"
1718
class="admin__control-textarea"
@@ -30,7 +31,7 @@
3031
id="history_notify"
3132
value="1" />
3233
<label class="admin__field-label"
33-
for="history_notify"><?= $block->escapeHtml(__('Notify Customer by Email')) ?></label>
34+
for="history_notify"><?= $escaper->escapeHtml(__('Notify Customer by Email')) ?></label>
3435
</div>
3536
<?php endif; ?>
3637
<div class="admin__field admin__field-option">
@@ -40,7 +41,7 @@
4041
class="admin__control-checkbox"
4142
value="1" />
4243
<label class="admin__field-label"
43-
for="history_visible"> <?= $block->escapeHtml(__('Visible on Storefront')) ?></label>
44+
for="history_visible"> <?= $escaper->escapeHtml(__('Visible on Storefront')) ?></label>
4445
</div>
4546
</div>
4647
<div class="order-history-comments-actions">
@@ -59,17 +60,20 @@
5960
<?= /* @noEscape */ $block->formatTime($_comment->getCreatedAt(), \IntlDateFormatter::MEDIUM) ?>
6061
</span>
6162
<span class="note-list-customer">
62-
<?= $block->escapeHtml(__('Customer')) ?>
63+
<?= $escaper->escapeHtml(__('Customer')) ?>
6364
<?php if ($_comment->getIsCustomerNotified()): ?>
64-
<span class="note-list-customer-notified"><?= $block->escapeHtml(__('Notified')) ?></span>
65+
<span class="note-list-customer-notified"><?= $escaper->escapeHtml(__('Notified')) ?></span>
6566
<?php else: ?>
6667
<span class="note-list-customer-not-notified">
67-
<?= $block->escapeHtml(__('Not Notified')) ?>
68+
<?= $escaper->escapeHtml(__('Not Notified')) ?>
6869
</span>
6970
<?php endif; ?>
7071
</span>
7172
<div class="note-list-comment">
72-
<?= $block->escapeHtml($_comment->getComment(), ['b', 'br', 'strong', 'i', 'u', 'a']) ?>
73+
<?= /* @noEscape */ nl2br($escaper->escapeHtml(
74+
$_comment->getComment(),
75+
['b', 'br', 'strong', 'i', 'u', 'a']
76+
))?>
7377
</div>
7478
</li>
7579
<?php endforeach; ?>
@@ -78,7 +82,7 @@
7882
<?php $scriptString = <<<script
7983
require(['prototype'], function(){
8084
submitComment = function() {
81-
submitAndReloadArea($('comments_block').parentNode, '{$block->escapeJs($block->getSubmitUrl())}')
85+
submitAndReloadArea($('comments_block').parentNode, '{$escaper->escapeJs($block->getSubmitUrl())}')
8286
};
8387
if ($('submit_comment_button')) {
8488
$('submit_comment_button').observe('click', submitComment);

app/code/Magento/Sales/view/adminhtml/templates/order/view/tab/history.phtml

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -8,20 +8,26 @@
88
?>
99
<section class="admin__page-section edit-order-comments">
1010
<ul class="note-list">
11-
<?php foreach ($block->getFullHistory() as $_item) : ?>
11+
<?php foreach ($block->getFullHistory() as $_item): ?>
1212
<li class="note-list-item">
1313
<span class="note-list-date"><?= /* @noEscape */ $block->getItemCreatedAt($_item) ?></span>
1414
<span class="note-list-time"><?= /* @noEscape */ $block->getItemCreatedAt($_item, 'time') ?></span>
1515
<span class="note-list-status"><?= /* @noEscape */ $block->getItemTitle($_item) ?></span>
16-
<?php if ($block->isItemNotified($_item, false)) : ?>
16+
<?php if ($block->isItemNotified($_item, false)): ?>
1717
<span class="note-list-customer">
1818
<?= $block->escapeHtml(__('Customer')) ?>
19-
<?php if ($block->isCustomerNotificationNotApplicable($_item)) : ?>
20-
<span class="note-list-customer-notapplicable"><?= $block->escapeHtml(__('Notification Not Applicable')) ?></span>
21-
<?php elseif ($block->isItemNotified($_item)) : ?>
22-
<span class="note-list-customer-notified"><?= $block->escapeHtml(__('Notified')) ?></span>
23-
<?php else : ?>
24-
<span class="note-list-customer-not-notified"><?= $block->escapeHtml(__('Not Notified')) ?></span>
19+
<?php if ($block->isCustomerNotificationNotApplicable($_item)): ?>
20+
<span class="note-list-customer-notapplicable">
21+
<?= $block->escapeHtml(__('Notification Not Applicable')) ?>
22+
</span>
23+
<?php elseif ($block->isItemNotified($_item)): ?>
24+
<span class="note-list-customer-notified">
25+
<?= $block->escapeHtml(__('Notified')) ?>
26+
</span>
27+
<?php else: ?>
28+
<span class="note-list-customer-not-notified">
29+
<?= $block->escapeHtml(__('Not Notified')) ?>
30+
</span>
2531
<?php endif; ?>
2632
</span>
2733
<?php endif; ?>
@@ -32,11 +38,11 @@
3238
<div class="edit-order-comments-block-title">
3339
<?= $block->escapeHtml(__('Notes for this Order')) ?>
3440
</div>
35-
<?php foreach ($block->getFullHistory() as $_item) : ?>
36-
<?php if ($_comment = $block->getItemComment($_item)) : ?>
41+
<?php foreach ($block->getFullHistory() as $_item): ?>
42+
<?php if ($_comment = $block->getItemComment($_item)): ?>
3743
<div class="comments-block-item">
3844
<div class="comments-block-item-comment">
39-
<?= /* @noEscape */ $_comment ?>
45+
<?= /* @noEscape */ $block->escapeHtml($_comment) ?>
4046
</div>
4147
<span class="comments-block-item-date-time">
4248
<?= $block->escapeHtml(__('Comment added')) ?>

dev/tests/integration/testsuite/Magento/Sales/Helper/AdminTest.php

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
<?php
2+
/**
3+
* Copyright © Magento, Inc. All rights reserved.
4+
* See COPYING.txt for license details.
5+
*/
6+
declare(strict_types=1);
7+
8+
namespace Magento\Sales\Helper;
9+
10+
use Magento\TestFramework\Helper\Bootstrap;
11+
12+
/**
13+
* Tests \Magento\Sales\Helper\Admin
14+
*/
15+
class AdminTest extends \PHPUnit\Framework\TestCase
16+
{
17+
/**
18+
* @var Admin
19+
*/
20+
private $helper;
21+
22+
/**
23+
* @inheritdoc
24+
*/
25+
protected function setUp(): void
26+
{
27+
$this->helper = Bootstrap::getObjectManager()->create(Admin::class);
28+
}
29+
30+
/**
31+
* @param string $data
32+
* @param string $expected
33+
* @param null|array $allowedTags
34+
* @return void
35+
*
36+
* @dataProvider escapeHtmlWithLinksDataProvider
37+
*/
38+
public function testEscapeHtmlWithLinks(string $data, string $expected, $allowedTags = null): void
39+
{
40+
$actual = $this->helper->escapeHtmlWithLinks($data, $allowedTags);
41+
$this->assertEquals($expected, $actual);
42+
}
43+
44+
/**
45+
* @return array
46+
*/
47+
public function escapeHtmlWithLinksDataProvider(): array
48+
{
49+
return [
50+
[
51+
'<a>some text in tags</a>',
52+
'&lt;a&gt;some text in tags&lt;/a&gt;',
53+
'allowedTags' => null,
54+
],
55+
[
56+
// @codingStandardsIgnoreStart
57+
'Authorized amount of €30.00. Transaction ID: "<a target="_blank" href="https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_view-a-trans&id=123456789QWERTY">123456789QWERTY</a>"',
58+
'Authorized amount of €30.00. Transaction ID: &quot;<a href="https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_view-a-trans&amp;id=123456789QWERTY">123456789QWERTY</a>&quot;',
59+
// @codingStandardsIgnoreEnd
60+
'allowedTags' => ['b', 'br', 'strong', 'i', 'u', 'a'],
61+
],
62+
[
63+
'Transaction ID: "<a target="_blank" href="https://www.paypal.com/?id=XX123XX">XX123XX</a>"',
64+
'Transaction ID: &quot;<a href="https://www.paypal.com/?id=XX123XX">XX123XX</a>&quot;',
65+
'allowedTags' => ['b', 'br', 'strong', 'i', 'u', 'a'],
66+
],
67+
[
68+
'<a>some text in tags</a>',
69+
'<a>some text in tags</a>',
70+
'allowedTags' => ['a'],
71+
],
72+
[
73+
"<a><script>alert(1)</script></a>",
74+
'<a>alert(1)</a>',
75+
'allowedTags' => ['a'],
76+
],
77+
[
78+
'<a href=\"#\">Foo</a>',
79+
'<a href="%5C&quot;#%5C&quot;">Foo</a>',
80+
'allowedTags' => ['a'],
81+
],
82+
[
83+
"<a href=http://example.com?foo=1&bar=2&baz[name]=BAZ>Foo</a>",
84+
'<a href="http://example.com?foo=1&amp;bar=2&amp;baz%5Bname%5D=BAZ">Foo</a>',
85+
'allowedTags' => ['a'],
86+
],
87+
[
88+
"<a href=\"javascript&colon;alert(59)\">Foo</a>",
89+
'<a href="javascript&amp;colon;alert(59)">Foo</a>',
90+
'allowedTags' => ['a'],
91+
],
92+
[
93+
"<a href=\"http://example1.com\" href=\"http://example2.com\">Foo</a>",
94+
'<a href="http://example1.com">Foo</a>',
95+
'allowedTags' => ['a'],
96+
],
97+
[
98+
"<a href=\"http://example.com?foo=text with space\">Foo</a>",
99+
'<a href="http://example.com?foo=text%20with%20space">Foo</a>',
100+
'allowedTags' => ['a'],
101+
],
102+
];
103+
}
104+
}

0 commit comments

Comments
 (0)